Ah my bad. Can you rerun the same test(s) but substitute your true origin IP address for the Cloudflare IP address. In the examples above that you provided you can see we (Cloudflare) are presenting the same SSL cert on our edge for both. My assumption is that the origin server is showing different ones for some reason and trying to see what cert it is presenting to help figure out if there may be an issue with it.

Or actually you probably did use the origin IP but I screwed up on the host name. I think you’ll need to use https://minnit.chat:2083 as the port as it appears it’s attempting over 443 with the version I gave you even though you properly changed the port in your curl string. I think curl requires the explicit port when it’s not the standard https.

Well… that is sub-optimal. On the plus side, Cloudflare as a proxy probably isn’t the source. On the minus side I have no freaking idea. On the off chance it could be the Cloudflare certificate itself, do you have the ability to change your SSL setting to Full and try with a Let’s encrypt or self signed certificate to see if the issue persists?

Interesting reading and checking all the handshakes it looks like something is going on with the 8.9.1 version; not an expert but from all your test it looks like this article collaborates your finding on using a version 6.11.2 until a solution is found. Question from an observation point — if the connection is less restricted like say http will it work? or will testing the code outside cloudflare environment aid in isolating the issue wiht 6.11.2 and 8.9.1 just a pointer the masters to help in this partial problem since downgrading is the propose solution even thou whats goodies 8.9.1 holds that you need to use it. Hope you find the source I will suggest isolating the environment just in case code 8.9.1 dont’ like rerouting…